Security products and practices will be reinvented to protect the Internet of things, but the real solution centers on a simple idea

InfoWorld|Apr 15, 2014

IoT (Internet of things) had to happen eventually, like flying cars. As it turned out, we got IP-connected cars first, not to mention IP-connected bathrooms, gardens, dog collars, shoes, and on and on. Think of it this way: We weren't given IPv6 with its 3.4×1038 unique IP addresses just to connect computers.

To be sure, IoT will be full of security vulnerabilities. The majority of the people coding these "things" have less security training than the average reader of this column. They aren't threat-modeling attacks. They've never heard of buffer overflow, DDoS, or credential theft. They're just good at programming firmware and making "things" talk to each other.

You don't have to be a guru to realize every previous attack that was possible on PCs (including worms, viruses, and trojans) will occur across IoT. It happened on mobile devices and cellphones, though we had many years to prepare.

The lack of threat modeling by nearly everyone developing an IoT device will ensure that thousands of pervasive security problems will emerge. Developers simply can't anticipate all the different devices their hardware will interact with. They won't do input checking well enough. They won't be able to comprehend all the foreign networks and new protocols that will fall between point A to point Z. They won't be able to anticipate the myriad ways their device will be abused. They will have poor-to-nonexistent event logging. Privacy will be broken all the time, and anything your device knows about you, including financial information, will be readily available to cyber criminals.

This is despite the fact that nearly everyone in today's computer security world understands many of the challenges. We already have an RFC about it. You can read a book about it. Nonetheless, society will get it wrong, and those of us in the computer security world will have job security until we retire.

What can fix it? My excellent colleague, Shelly Bird, recently reminded me that a lot of what we need is device identity. In order for us to begin securing IoT, we have to be able to reliably authenticate devices and apply the appropriate security controls to those devices -- and be able to identify misbehaving devices and remediate them.

I can already see tens of thousands of toasters used in a massive DoS attack against InfoWorld one day.

The best solution is one that I've been writing about for at least a decade -- the solution of pervasive authenticated identity (see my "Fixing the Internet" whitepaper). We'll never be able to fix all vulnerabilities in all devices. Heck, we can't even do that on a single device. Trying to fix individual problems on individual device platforms is like playing whack-a-mole across an endless prairie.

The real way to decrease Internet crime is to make it harder for the bad guys to get away with malicious hacking. Once the bad guys realize that they're likely to get caught -- and those who get away with it don't make much money -- Internet crime will decrease.

We have to embed pervasive identity into the infrastructure of the Internet. Nothing else will work. Although we haven't done a good job at fixing the biggest problems of Internet security over the last decade, I'm optimistic that we will when the right challenge presents itself. IoT might be the challenge we need to, at long last, get computer security right.